Home / Kong Ingress Controller / Secrets management
Edit
Report

Configure Hashicorp Vault

Uses: Kong Ingress Controller
Related Documentation
All KIC Documentation
Tags
#secrets-management #security
Related Resources
Secrets management
Minimum Version
Kong Ingress Controller - 3.1
TL;DR

Create a KongVault CRD and then use the vault:// reference in your plugin configuration

Prerequisites

Kong Konnect

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

  1. The following Konnect items are required to complete this tutorial:
    • Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.

  2. Set the personal access token as an environment variable:

    export KONNECT_TOKEN='YOUR KONNECT TOKEN'

Create a KIC Control Plane

Use the Konnect API to create a new CLUSTER_TYPE_K8S_INGRESS_CONTROLLER Control Plane:

CONTROL_PLANE_DETAILS=$(curl -X POST "https://us.api.konghq.com/v2/control-planes" \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "name": "My KIC CP",
       "cluster_type": "CLUSTER_TYPE_K8S_INGRESS_CONTROLLER"
     }')

We’ll need the id and telemetry_endpoint for the values.yaml file later. Save them as environment variables:

CONTROL_PLANE_ID=$(echo $CONTROL_PLANE_DETAILS | jq -r .id)
CONTROL_PLANE_TELEMETRY=$(echo $CONTROL_PLANE_DETAILS | jq -r '.config.telemetry_endpoint | sub("https://";"")')

Create mTLS certificates

Kong Ingress Controller talks to Konnect over a connected secured with TLS certificates.

Generate a new certificate using openssl:

openssl req -new -x509 -nodes -newkey rsa:2048 -subj "/CN=kongdp/C=US" -keyout ./tls.key -out ./tls.crt

The certificate needs to be a single line string to send it to the Konnect API with curl. Use awk to format the certificate:

export CERT=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' tls.crt);

Next, upload the certificate to Konnect:

curl -X POST "https://us.api.konghq.com/v2/control-planes/$CONTROL_PLANE_ID/dp-client-certificates" \
     -H "Authorization: Bearer $KONNECT_TOKEN" \
     --json '{
       "cert": "'$CERT'"
     }'

Finally, store the certificate in a Kubernetes secret so that Kong Ingress Controller can read it:

kubectl create namespace kong -o yaml --dry-run=client | kubectl apply -f -
kubectl create secret tls konnect-client-tls -n kong --cert=./tls.crt --key=./tls.key

Kong Ingress Controller running (with an Enterprise license)

  1. Add the Kong Helm charts:

    helm repo add kong https://charts.konghq.com
helm repo update

  2. Create a file named license.json containing your Kong Gateway Enterprise license and store it in a Kubernetes secret:

    kubectl create namespace kong --dry-run=client -o yaml | kubectl apply -f -
kubectl create secret generic kong-enterprise-license --from-file=license=./license.json -n kong

  3. Create a values.yaml file:

    cat <<EOF > values.yaml
gateway:
  image:
    repository: kong/kong-gateway
  env:
    LICENSE_DATA:
      valueFrom:
        secretKeyRef:
          name: kong-enterprise-license
          key: license
EOF

  4. Install Kong Ingress Controller using Helm:

    helm install kong kong/ingress -n kong --create-namespace --values ./values.yaml

HashiCorp Vault

  1. Install Vault in dev mode. This is not recommended for production deployments:

     helm install vault hashicorp/vault \
   --set='server.dev.enabled=true' \
   --namespace vault \
   --create-namespace

  2. Create a secret in HashiCorp Vault:

     kubectl exec -it -n vault vault-0 -- \
   vault kv put secret/customer/acme name="ACME Inc."

Create a KongVault entity

Kong Ingress Controller uses the KongVault entity to configure the connection to a Vault. As we’re running Hashicorp Vault in dev mode, we can use the root token to access the Vault:

echo "
apiVersion: configuration.konghq.com/v1alpha1
kind: KongVault
metadata:
  name: hcv-vault
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
spec:
  backend: hcv
  prefix: hashicorp-vault
  description: Storing secrets in HashiCorp Vault
  config:
    host: vault.vault.svc.cluster.local
    token: root
    kv: v2
    mount: secret
    port: 8200
    protocol: http
" | kubectl apply -f -

We can now access secrets in this vault using the vault://hashicorp-vault/$KEY syntax. The hashicorp-vault prefix matches the prefix field in the KongVault resource.

Validate your configuration

To validate that the secret was stored correctly in HashiCorp Vault, you can call a secret from your vault using the kong vault get command within the Data Plane Pod.

kubectl exec -n kong -it deployment/kong-gateway -c proxy -- kong vault get {vault://hashicorp-vault/customer/acme/name}

kubectl exec -n kong -it deployment/kong-gateway -c proxy -- kong vault get {vault://hashicorp-vault/customer/acme/name}

If the vault was configured correctly, this command should return the value of the secret. You can use {vault://hashicorp-vault/customer/acme/name} to reference the secret in any referenceable field.

Cleanup

Uninstall KIC from your cluster

 
helm uninstall kong -n kong

Uninstall HashiCorp Vault from your cluster

 
kubectl delete namespace vault

Next Steps

Review the Vaults entity
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support